On Sun, December 14, 2014 23:09, Richard Damon wrote: > > I regularly get important messages from Financial Institutions. > Yes, they will typically ask me to log into their web site for confirmation > of the message or to send "sensitive" information, but they do > send notices by email that they hope I will see.
As you write, I should have used either the word confidential or sensitive instead of important. On the other hand nothing sent by email is guaranteed to arrive at its intended destination. > > In fact, it is only because they DO send me email that a scammer has > much chance of succeeding by sending a fake message, hoping that I > will click on a link taking me to the wrong place. > Yes, which is why one never takes such links but copies and pastes them into the address bar instead. > > If you read the standard, is says: > > The originator fields indicate the mailbox(es) of the source of the > message. The "From:" field specifies the author(s) of the message, > that is, the mailbox(es) of the person(s) or system(s) responsible > for the writing of the message. The "Sender:" field specifies the > mailbox of the agent responsible for the actual transmission of the > message. For example, if a secretary were to send a message for > another person, the mailbox of the secretary would appear in the > "Sender:" field and the mailbox of the actual author would appear in > the "From:" field. > > The *AUTHOR* of the message is the person who originally wrote it, not > the mailing list. I digest is something different, the digest, as a whole, > WAS created by the list, just like if a person collects a number of > pieces written by other people, that person IS the author of the > collection, and the individuals who wrote the pieces are the > authors of the pieces, but not the whole. > > The mailing list software is NOT the author of the individual messages, but > much more like the secretary mentioned in the RFC. > > (I did say arguably because some people differ in this intent) > Many MLMs modify the contents of every message that they process. If the message that is retransmitted is not in every respect identical to the one originally received then how is that different from your postulated situation? Is it not a new message if the content changes, even if the change consists of boilerplate? I suppose one could make the same argument respecting those noxious MTAs that automatically add twelve lines of vacuous legal babble threatening how misdirected mail should be handled or else. In the original RFC much provision was given over to identifying multiple authors and multiple resenders. Perhaps this situation could be avoided if DMARC and MLM could agree on using the resent-from headers instead of fixating on the From. > > > > The role of an MLM is really no different than if you or I forwarded > > a message we received on to a third party. Who is the FROM id in > > that case? Arguably, most MLMs have been doing it wrong since the > > beginning and DMARC is just highlighting the logical inconsistencies > > and contradictions in prevalent MLM practice. > > > > The big difference is that the MLM is an AUTOMATED PROCESS (not > significantly different from postfix). If I manually forward a message, > that is not (by definition) an automated process, and generally the MUA > will build a new message containing the original message (and possibly > my notes about the message), so this is reasonable to change authorship > of the forwarding to be the forwarder. As a point of reference, > when you setup and automated forward rule for a mailbox to some other > mailbox, THAT forwarding does NOT normally change the From: line. > Not so long ago I thought similarly but now have reservations on the matter. For one, when one sends a message to a MLM one has sent it to the MLM and not to the subscribers. It has been delivered to its intended recipient. That transaction is complete. What the MLM chooses to do with your message is now beyond your capacity to influence. And whether the process is automated or subject to manual intervention by a list owner really does not change the situation irrespective of any limitations to either approach. As for the secretaries in the RFC example that betrays a mindset of which the pointy-haired boss would be proud. Given the time at which the RFC was written (1982) I much suspect that what the RFC authors had in mind was that the secretary would compose the message and then send it out under her boss's name in much the same manner as secretaries once typed the signatory's initials in caps and their own in lower-case (AKL/jbb) at the bottom of letters that they, the secretaries, generally wrote and had their boss sign. I doubt that the authors had in mind that the boss would compose an email and send it to his secretary just to have her retransmit it. I do not recall offices working like that. Indeed, I do not recall managers even having access to electronic messaging apparatus until well into the 1990s or early 2000s. The big thing in 1982 was the IBM PC and Word Perfect for DOS. And no manager with ambition would be caught dead sitting at a word-processing machine. That was secretarial work. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
